Office (OOXML) malware analysis — malicious · 361f40dfb42878e9

MALICIOUS

Office (OOXML)

109.8 KB Created: 2019-05-22 19:33:00 UTC Authoring application: Microsoft Office Word 16.0000

MD5: be125c1b3af9853b61550713ab3529b3 SHA-1: ed16b4348117ebb66c6578d2f862ab4c4578956a SHA-256: 361f40dfb42878e93ce4304a3483ee6c1d1f811d623df6208314642fa5b84975

122 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1129 Execution through API

The sample is an OOXML document identified as malicious due to the presence of an embedded OLE object. Heuristics indicate this object is likely a payload for CVE-2026-21514, designed to drop an auto-executable file. The embedded OLE package itself is a critical indicator of this exploit.

Heuristics 4

OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514

Office document contains embedded OLE (word/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.copel.br
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
- http://schemas.microsoft.com/office/drawing/2014/chartex
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/drawing/2016/ink
- http://schemas.microsoft.com/office/drawing/2017/model3d
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2010/wordml
- http://schemas.microsoft.com/office/word/2012/wordml
- http://schemas.microsoft.com/office/word/2016/wordml/cid
- http://schemas.microsoft.com/office/word/2015/wordml/symex
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
- http://schemas.microsoft.com/office/word/2010/wordprocessingInk
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `d9d776e8c348ac427713e9990db7a334f74bc39ce9ff4e293e356524491ab928`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/oleObject1.bin	45056 bytes
`ooxml_oleobject_00_ole10native_00.bin` `ca263c37f3295502685c48146c42c06bdced80c179431f93a43153efc6e51c63`	ole-package	OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native	41580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.